在私有子网AWS Fargate上运行的Docker实例 [英] Docker instance running on private subnet AWS Fargate
问题描述
我的VPC由2个公共子网和2个私有子网组成,私有子网具有用于访问Internet的NAt网关,而我的docker实例在接收外部URL的私有子网上运行(
My VPC consists of 2 public and 2 private subnets, private subnet having NAt gateway to access internet and my docker instance is running on private subnet which receives external URLs (http://commondatastorage.googleapis.com/gtv-videos-bucket/sample/BigBuckBunny.mp4) as input and download content/file and store the files in s3
我在公共子网中设置了应用程序负载平衡器,并连接到Fargate实例
I have application load balancer setup in public subnet and connects to fargate instance
当我尝试运行时,日志说NAME无法解析commondatastorage.googleapis.com
when i try to run and the logs say NAME cannot be resolved commondatastorage.googleapis.com
我了解到docker没有互联网连接
I understand that docker is not having internet connection
我在这里做错了什么,需要纠正什么?
What i am doing wrong here and what needs to corrected?
PS:在创建Fargate服务时,我已将自动分配公用IP"作为实例禁用,应该位于私有子网中
PS: While creating the fargate service I DISABLED Auto Assign Public IP as instance should be on private subnet
推荐答案
You probably already checked the AWS page about "Task Networking in AWS Fargate"
能够访问Internet的关键是NAT,因此,如果它不起作用,则应从检查错误开始.您可以从我链接的页面的以下描述中看到它的重要性
The key to be able to reach internet is a NAT, so, if it's not working, you should start from that in checking for errors. You can see how important it is from the following description taken from the page I linked
在这种配置下,任务仍可以通过NAT网关与Internet上的其他服务器通信.它们似乎具有到通信收件人的NAT网关的IP地址.如果在专用子网中运行Fargate任务,则必须添加此NAT网关.否则,Fargate无法向Amazon ECR发出网络请求以下载容器映像,或与Amazon CloudWatch进行通信以存储容器指标.
In this configuration, the tasks can still communicate to other servers on the internet via the NAT gateway. They would appear to have the IP address of the NAT gateway to the recipient of the communication. If you run a Fargate task in a private subnet, you must add this NAT gateway. Otherwise, Fargate can’t make a network request to Amazon ECR to download the container image, or communicate with Amazon CloudWatch to store container metrics.
如果由于某种原因NAT无法正常运行,另一种方法可能是启用自动分配公共IP ,但定义一个安全组,该安全组将阻止任何尝试连接到您在私有VPC中的任务.通过这种方式,任务将能够访问解析 commondatastorage.googleapis.com
If the NAT for some reason is not working, another approach could be to ENABLE Auto Assign Public IP, but define a security group that blocks any attempt to connect to your tasks in the private VPC. In this way the Task will be able to reach the DNS server required to resolve commondatastorage.googleapis.com
这篇关于在私有子网AWS Fargate上运行的Docker实例的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
